icon-zia.svg
Secure Internet and SaaS Access (ZIA)

Managing the QUIC Protocol

Google developed the QUIC protocol to increase the performance of HTTPS and HTTP (TCP 443 and TCP 80) connections. Chrome browsers have had experimental support for it since 2014, and it's also used in Chromium and Android devices.

QUIC connections do not require TCP handshakes. However, SSL inspection requires TCP session information. Because of this, Zscaler cannot examine QUIC sessions when users have SSL inspection enabled. When using QUIC, users might also experience certificate errors.

Zscaler best practice is to block QUIC. When it's blocked, QUIC has a failsafe to fall back to TCP. This enables SSL inspection without negatively impacting user experience.

Blocking QUIC

Choose how to block QUIC based on how you are forwarding your traffic to Zscaler.

GRE or IPSec Tunnel and Zscaler Client Connector (Z-Tunnel 2.0)

If you are sending your outbound internet traffic to Zscaler through a GRE or IPSec tunnel, or Zscaler Client Connector using Z-Tunnel 2.0, you can effectively block QUIC by creating a Firewall Filtering rule. This blocks QUIC UDP flows and forces the browser to default to TCP 80/443.

Normally, the Default Firewall Filtering Rule (the lowest rank rule) blocks QUIC unless specifically allowed. However, admins often create more general connectivity rules or groups of rules (e.g., User X or Source IP Address Y to Destination Group IP Address Y is allowed) that are overly permissive and do not explicitly exclude the use of QUIC. For this reason, one or more QUIC block rules might be needed to precede admin-defined allow rules.

As configured in the following steps, the Firewall Filtering rule blocks QUIC at the network service level. Network services configured in Zscaler are identified at the first packet using port and protocol and leading to immediate policy action. When packets match the configured rule, the Zscaler service drops all packets that match the rule and sends the client an ICMP error message of Type 3 (Destination Unreachable) and Code 13 (Communication Administratively Prohibited).

  • To block QUIC with a Firewall Filtering rule:

    1. In the ZIA Admin Portal, go to Policy > Firewall Control.

    2. Click Add Firewall Filtering Rule.

      The Add Firewall Filtering Rule window appears.

    3. In the Add Firewall Filtering Rule window:

      1. Set the Rule Order to the highest possible rank, according to your organization’s desired policies.

        Zscaler recommends that you rank rules for network services higher than rules for network applications to prevent packets from being allowed unnecessarily from traffic that would otherwise be blocked by rules using first-packet identification.

      2. Ensure the Rule Status is Enabled.
      3. Ensure Any is selected for Users, Groups, Departments, Locations, and Location Groups.
      4. Ensure Always is selected for Time.

      5. Select Block/ICMP under Network Traffic.

      6. Click the Services tab and select QUIC under Network Services.
    4. Click Save and activate your changes.
    Close

In addition to UDP destination port 443, QUIC can use UDP destination port 80. To include port 80 in the network service definition of QUIC, you can modify the predefined network service or configure a custom network service. To learn more, see Modifying Predefined Network Services and Configuring Network Services.

Zscaler Client Connector (Z-Tunnel 1.0)

If you are only sending Zscaler Client Connector traffic that uses Z-Tunnel 1.0 to Zscaler (or leveraging remote users), create a block rule on the device firewall to block UDP 80 and 443. This is typically done by an IT admin and is different for every organization.

TCP 80/443 Only

If you are only sending TCP 80/443 over a tunnel to Zscaler, block QUIC on your branch firewall.

  • If you are using a FortiGate firewall, you need to create a new service and then create a top-level policy to block the newly created service.

    To create a service:

    1. In the FortiGate portal, go to Policy and Objects > Services.
    2. Click Create new Service.

    3. Complete the following:

      • Name: Enter QUIC.
      • Protocol Type: Select TCP/UDP/SCTP.

      • Destination Port: To configure the destination ports:

        1. Destination Port: Select UDP.
          1. Low: Enter 443.
          2. High: Leave blank.
        2. Click the Add icon to add an additional destination port.
        3. Destination Port: Select UDP.
          1. Low: Enter 80.
          2. High: Leave blank.

        Other fields should be left with their default values.

    4. Click OK to save your service.

    To create a policy:

    1. In the FortiGate portal, go to Policy and Objects > IPv4 Policy.
    2. Click Create New.

    3. Complete the following:

      • Name: Enter a name for this policy (e.g., ServiceDeny).
      • Incoming Interface: Select Internal.
      • Outgoing Interface: Select wan.
      • Source: Select all.
      • Destination: Select all.
      • Schedule: Select always.
      • Service: Select the QUIC service you created.
      • Action: Select DENY.
      • Log Violation Traffic: Enable this option.
      • Enable this policy: Enable this option.

    4. Click OK to save your policy.
    Close

  • To block QUIC with a Palo Alto Networks firewall, you need to create a new security policy.

    To create a security policy:

    1. In the Palo Alto Networks portal, go to Policies > Security.
    2. Click Add.
    3. On the General tab, enter a Name for the rule.
    4. On the Source tab, select the Source Zone for your rule.
    5. On the User tab, select any as the value for users.
    6. On the Destination tab, select either Untrust or your internet facing as the Destination Zone.
    7. On the Application tab:
      1. Select Add.
      2. Enter quic in the search bar.
      3. Select the quic application.
    8. On the Service/URL Category tab, leave all fields with their default values.
    9. On the Actions tab, select Drop as the action and configure other fields as desired.
    10. Click OK to save the policy.
    Close

If your firewall is not listed, refer to your manufacturer's documentation for details on how to block QUIC.

Alternatives

As an alternate measure, you can also block QUIC in Chrome itself.

  • If you have administrator access to Google Apps, you can create a policy to block Chrome for all users. To learn more, refer to the Google Chrome Enterprise Help. If you do not, you can still disable QUIC on individual machines.

    Whenever Chrome is updated, the settings revert to their default values, so you need to disable QUIC again.

    To disable QUIC on individual machines:

    1. Open Chrome.
    2. Enter chrome://flags in the address bar.
    3. Enter quic in the search bar.
    4. Click the drop-down menu and select Disabled.

      When Default is selected, Chrome attempts to use QUIC.
    5. When prompted, click Relaunch Now to restart Chrome and apply your changes.
    Close
Related Articles
Capturing HTTP Headers on Microsoft EdgeExecutive Insights App Errors and TroubleshootingAbout Zscaler AnalyzerUsing the Zscaler Cloud Performance Test ToolAvoiding Google Captcha and Geolocation IssuesCapturing HTTP Headers on Google ChromeCapturing HTTP Headers on Mozilla FirefoxCapturing HTTP Headers on SafariEnabling Remote AssistanceManaging the QUIC ProtocolMeasuring the Performance of the Zscaler ServicePolicy ReasonsSupporting Citrix XenApp & XenDesktop Applications